Understanding IT Risks

Hani Elbeyali is a technology strategist for Dell. He has 19 years of IT experience and is the author of Business Demand Design methodology, which details how to align your business strategy with your IT strategy. His previous post was Demonstrating IT Value, Illustrated.

HANI ELBEYALI
Dell

Businesses are always trying to minimize risk to the enterprise, but smart leaders realize that profits are sometimes the rewards earned for taking educated risks. Once a manager understands that risks and rewards (or benefits) are positively correlated, the next step may be to expect that the higher well-calculated risks, the higher expected returns are going to be. This concept applies to the IT organization because it’s part of the overall process of any enterprise’s need to “get things done.”

What is IT Risk?

Risk, according to financial theory, refers to the unpredictability of outcome. “While financial measures of risk, such as volatility and standard deviation, measure the upside and downside of deviations from the expectations, only downside variability to be the true measure of risk”, states Mukul Pareek, in his article “Information System Control Journal.” What we infer from this statement is the risk is only represented by the downside of the expected return, and not the upside. In contrast, IT risk or downside is represented by the measurement of the potential for an unplanned event, internal or external; resulting into a failure or misuse of IT to threaten an enterprise objective; and it is no longer confined to a company’s IT department.

What are Risk Types?

Planning for risks can be huge undertaking. Because the risk permutations count are beyond the capabilities of one article, I wanted to give an illustration of an Enterprise Resource Planning (ERP) risk failure, and the volatility of an enterprise risk for taking on such project. ERP potential risks can be measured in two stages: during implementation and post deployment.

During Implementation: Internal factors

Risks:

Delay due to the rise of an internal event, which could be beyond the control of IT, examples: business priorities change, dependencies out of line, budget constraints, and unexpected cost overrun

Siloed IT focus due to aligning IT to serve specific line of business

Lack of alignment between business strategy and IT strategy

Not enough time, money, and effort spent on assessment, plan and design

No executive sponsorship

Lack of process to implement an enterprise governance

Results:

Significant harm to the organization stakeholders and stockholders. This could result in financial loss, with the organization may be able to recover.

Example:

In December 2003, the United Kingdom’s Inland Revenue put a new system for managing tax credits into production. Pre-production testing had been limited to four weeks rather than the planned 20 weeks because the project was behind schedule. It is estimated that over £2 billion in erroneous tax credits were paid out by the system before errors were recognized and corrective measures taken.

Post Deployment: Internal and External factors

Risks:

Ineffective implementation of enterprise governance, this is especially important in today’s times of rapid strategic business change

Loss of service due to broken process flow or vendor services failure

Data leakage, theft, or misuse of information

Complex and uncontrolled IT environment, this manifest as complex asset inventory, many IT overlapping management tools, poor documentations, and lack of unified change management procedure

Results:

The risk exposes bad enterprise management to customers, ineffective implementation of compliance, and governance, not only in IT but throughout the entire organization

Significant harm to the organization stakeholders and stockholders. This could result in financial loss, the organization may be able to recover. But, with negative Net Present Value (NPV) and Return on Investment (RoI)

Damage the reputation of the organization, over time, the organization my never be able to recover

Example:

In 1996, a failed implementation of SAP’s enterprise resource planning software at FoxMeyer, a $4 billion pharmaceutical distributor, allegedly led to the company’s bankruptcy. The company’s trustees filed suit against SAP (the software vendor) and Accenture (the systems integrator for the project), asking for $500 million in damages from each. The case was settled out of court in 2005.1

Related Stories

Realizing the value of Big Data today demands more than technology. It requires the vision, experience and know-how necessary to see Big Data as a strategic opportunity and to leverage it across an enterprise, writes Paul Barth of New Vantage Partners. Read More

While cloud deployments continue apace, there are still some inherent drawbacks to a cloud model’s security or design. Best practices need to be used and expectations should be managed. Bottom line, it’s not always sunny in the cloud computing world. Read More

Now, with more WAN utilization, better underlying hardware components and more organizations moving to some kind of a cloud model – the IT industry is experiencing a new type of challenge: Cloud Sprawl, writes Bill Kleyman of MTM Technologies. Read More

Enterprises must manage many different workloads, most of which require only one server. Cloud governance has become essential for maintaining control over an increasingly complex and integrated system, services, and human resource environment. Read More

Data center users are increasingly likely to run out of power before they run out of space. This white paper from SunGard examines the relationship between wattage and floor space in data centers, and how users can make intelligent choices on their capacity requirements. Read More